diff options
Diffstat (limited to 'sshconnect2.c')
-rw-r--r-- | sshconnect2.c | 36 |
1 files changed, 29 insertions, 7 deletions
diff --git a/sshconnect2.c b/sshconnect2.c index 388a25741..f6368aadd 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -23,7 +23,7 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: sshconnect2.c,v 1.131 2003/11/17 09:45:39 djm Exp $"); | 26 | RCSID("$OpenBSD: sshconnect2.c,v 1.132 2003/11/17 11:06:07 markus Exp $"); |
27 | 27 | ||
28 | #include "openbsd-compat/sys-queue.h" | 28 | #include "openbsd-compat/sys-queue.h" |
29 | 29 | ||
@@ -222,7 +222,7 @@ static char *authmethods_get(void); | |||
222 | 222 | ||
223 | Authmethod authmethods[] = { | 223 | Authmethod authmethods[] = { |
224 | #ifdef GSSAPI | 224 | #ifdef GSSAPI |
225 | {"gssapi", | 225 | {"gssapi-with-mic", |
226 | userauth_gssapi, | 226 | userauth_gssapi, |
227 | &options.gss_authentication, | 227 | &options.gss_authentication, |
228 | NULL}, | 228 | NULL}, |
@@ -543,10 +543,12 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok) | |||
543 | Authctxt *authctxt = ctxt; | 543 | Authctxt *authctxt = ctxt; |
544 | Gssctxt *gssctxt = authctxt->methoddata; | 544 | Gssctxt *gssctxt = authctxt->methoddata; |
545 | gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; | 545 | gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; |
546 | OM_uint32 status, ms; | 546 | gss_buffer_desc gssbuf, mic; |
547 | OM_uint32 status, ms, flags; | ||
548 | Buffer b; | ||
547 | 549 | ||
548 | status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, | 550 | status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, |
549 | recv_tok, &send_tok, NULL); | 551 | recv_tok, &send_tok, &flags); |
550 | 552 | ||
551 | if (send_tok.length > 0) { | 553 | if (send_tok.length > 0) { |
552 | if (GSS_ERROR(status)) | 554 | if (GSS_ERROR(status)) |
@@ -560,9 +562,29 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok) | |||
560 | } | 562 | } |
561 | 563 | ||
562 | if (status == GSS_S_COMPLETE) { | 564 | if (status == GSS_S_COMPLETE) { |
563 | /* If that succeeded, send a exchange complete message */ | 565 | /* send either complete or MIC, depending on mechanism */ |
564 | packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE); | 566 | if (!(flags & GSS_C_INTEG_FLAG)) { |
565 | packet_send(); | 567 | packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE); |
568 | packet_send(); | ||
569 | } else { | ||
570 | ssh_gssapi_buildmic(&b, authctxt->server_user, | ||
571 | authctxt->service, "gssapi-with-mic"); | ||
572 | |||
573 | gssbuf.value = buffer_ptr(&b); | ||
574 | gssbuf.length = buffer_len(&b); | ||
575 | |||
576 | status = ssh_gssapi_sign(gssctxt, &gssbuf, &mic); | ||
577 | |||
578 | if (!GSS_ERROR(status)) { | ||
579 | packet_start(SSH2_MSG_USERAUTH_GSSAPI_MIC); | ||
580 | packet_put_string(mic.value, mic.length); | ||
581 | |||
582 | packet_send(); | ||
583 | } | ||
584 | |||
585 | buffer_free(&b); | ||
586 | gss_release_buffer(&ms, &mic); | ||
587 | } | ||
566 | } | 588 | } |
567 | 589 | ||
568 | return status; | 590 | return status; |